...
In order to validate that a given user is allowed to use a certain context level, the MCB must be able to obtain the list from some source. This is done by tying in with the standard Shibboleth attribute-resolver.xml file. The value given here is the ID value of an attribute resolver rule that contains those choices. Once a user is authenticated, the attribute resolver will be called to resolve those values and use them in the decision making process.
principalAuthnContextRequired
| Code Block | ||
|---|---|---|
| ||
<!--
If set to FALSE, then if the user has no assigned contexts and the SP does not request one, then
successful authentication via the initial authentication will be returned to the SP as
successful. This in effect mimics the current Shibboleth behavior.
If set to TRUE, then a valid context for the user is always required.
-->
<principalAuthnContextRequired>true</principalAuthnContextRequired> |
This option allows the administrator to allow a user to successfully authenticate to a SP if the user does not have a context assigned to their identity in the IDMS and the SP does not request any context value. By setting this value to false, the behavior of regular Shibboleth authentication will be used. If the SP requests a context value, this option is ignored. If the user has a context assigned, this option is ignored.
maxFailures
| Code Block | ||
|---|---|---|
| ||
<!--
The maximum number of failures allowed a user before returning a SAML failure to the
relying party. Must be specified according to schema definition. Set to a value of -1
to allow an unlimited number of login failures.
-->
<maxFailures>3</maxFailures> |
...
Any number of context values may be specified.
You may NOT define a circular reference within the context section. The MCB will check for circular dependencies on start up and throw a fatal exception if one is found.
authnMethods
| Code Block | ||
|---|---|---|
| ||
<!--
authMethods is the list of authentication methods supported by the MCB
-->
<authMethods>
<!--
A method defines one authentication method. The name attribute corresponds to the method value
used in the context definition. The bean attribute is the name of the submodule bean loaded by
the Spring framework during Shibboleth startup. The value of the method node is the friendly name
used for display purposes.
-->
<method name="password" bean="mcb.usernamepassword">
Username/Password Only
</method>
<method name="bronze" bean="mcb.usernamepasswordbronze">
Bronze Level Password
</method>
<method name="silver" bean="mcb.usernamepasswordsilver">
Silver Assurance Level
</method> |
Authentication methods are implemented by the submodules defined in the Spring configuration file. Each method has a name which corresponds to the method attribute of the context definitions (tying them together). Each method also has a bean name which ties back to the Spring definition. Finally, each method has a value that is used as the friendly display name during the authentication selection process by the user. Each context defined must have a method that can be used to satisfy it. Note that multiple context values may use the same method. If In that is configuredcase, then a user completing authentication by that method means they have satisfied either context value that uses that methodis satisfying all context values the user is allowed to use that have that method configured. As an example, if you define the password and bronze contexts to both use the password method, then the user will have completed both authentication contexts (password and bronze), assuming the user is allowed to use both password and bronze. This is true even if the selection choice was for password (implying bronze is a higher level of authentication).
...